Try it using Invoke-Atomic

Valid Accounts: Cloud Accounts

Description from ATT&CK

Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)

Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a Trusted Relationship. Similar to Domain Accounts, compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.

Once a cloud account is compromised, an adversary may perform Account Manipulation - for example, by adding Additional Cloud Roles - to maintain persistence and potentially escalate their privileges.

Atomic Tests

Atomic Test #1 - Creating GCP Service Account and Service Account Key

GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud.

Supported Platforms: google-workspace,iaas:gcp

auto_generated_guid: 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e

Inputs:

Name Description Type Default Value
project-id ID of the project, you want to create service account as well as service account key for string art-project-1
service-account-name Name of the service account string gcp-art-service-account-1
service-account-email Email of the service account string gcp-art-service-account-1@art-project-1.iam.gserviceaccount.com
output-key-file Email of the service account string gcp-art-service-account-1.json

Attack Commands: Run with sh!

1
2
3
4
5
gcloud auth login --no-launch-browser
gcloud config set project #{project-id}
gcloud iam service-accounts create #{service-account-name}
gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}

Cleanup Commands:

1
2
gcloud iam service-accounts delete #{service-account-email} --quiet

Dependencies: Run with sh!

Description: Requires gcloud

Check Prereq Commands:

1
2
if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"

Atomic Test #2 - Azure Persistence Automation Runbook Created or Modified

Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.

Supported Platforms: iaas:azure

auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac

Inputs:

Name Description Type Default Value
username Azure username String None
password Azure password String None
resource_group Name of the resource group String None
runbook_name Name of the runbook name String None
automation_account_name Name of the automation account name String None

Attack Commands: Run with powershell!

1
2
3
4
5
6
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-AzAccount -Credential $creds
New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force

Dependencies: Run with powershell!

Description: Install-Module -Name Az

Check Prereq Commands:

1
2
try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}

Get Prereq Commands:

1
2
Install-Module -Name Az -Scope CurrentUser -Force

source